VPN Client with ASA; Discarded packets on VPN Client

Unanswered Question
Feb 22nd, 2009

HI,

I have a ASA that has the private IP address connected to the router. The router is doing the natting to a dedicated public IP address.

I have configured the VPN client settings on the firewall and when i connect the VPN client then it is connected but no communication.

On the firewall i am seeing

interface: Internet

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 172.16.16.16

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.0.1/255.255.255.255/0/0)

current_peer: 90.90.66.67, username: cisco

dynamic allocated peer ip: 192.168.0.1

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 265, #pkts decrypt: 265, #pkts verify: 265

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 172.16.16.16/4500, remote crypto endpt.: 90.90.66.67/4500

path mtu 1500, ipsec overhead 82, media mtu 1500

current outbound spi: 98CACC8C

inbound esp sas:

spi: 0x8E2B293F (2385193279)

transform: esp-aes esp-sha-hmac no compression

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 3309568, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (sec): 28451

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0x98CACC8C (2563427468)

transform: esp-aes esp-sha-hmac no compression

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 3309568, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (sec): 28448

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

on the VPN Client, I am seeing,

Recieved: 0

Sent: 55587

Encrypted: 300

Decrypted: 0

Discarded: 92

Bypassed:0

It seems that VPN client encrypt the packet and sent to firewall. firewall decrypt the packet and sent to host. host replied to that response but for some reason the packet is not get encrypted on the firewall.

Can you please help me out?

Can the natting on the router have problem? I have used simple static nat command with extendable keyword.

On firewall, Crypto isakml nat-traversal 20 is configured.

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
t4tauseef33 Wed, 02/25/2009 - 09:20

Hi,

the configuration for remote access is simple like that.

tunnel-group XYZ type remote-access

tunnel-group XYZ general-attributes

address-pool POOL

default-group-policy RemoteAccess-Policy

tunnel-group XYZ ipsec-attributes

pre-shared-key *****

From the VPN Client, i can access the other site-site VPN subnets that are terminating on the firewall but cannot access the local subnets connected to the firewall interfaces. This seems to be very strange.

Any idea, what will be the problem.

I have done the nat examption and can see on firewall logs. traffic is comming from VPN client hitting the firewall ,then hitting the destination server, destination server reply to firewall. firewall got the packets as seen from packet capture but not passed to vpn client.

bmcginn Wed, 02/25/2009 - 16:45

Hi there,

Is the defined interesting traffic the same on both endpoints?

Actions

This Discussion